Microsoft Expands Passwordless Experience to Entra ID-Joined Windows 11 Devices

Windows-11-notebook-tablet

Key Takeaways:

  • Microsoft implemented a new policy that brings passwordless authentication to Entra ID-joined Windows 11 devices.
  • The new policy enables organizations to use secure authentication methods like Windows Hello for Business or FIDO2 security keys, which are resistant to phishing attempts.
  • A new web sign-in experience lets users log in with SAML-P federated identity or the Microsoft Authenticator application.

Microsoft has introduced a new policy that enables organizations to bid farewell to passwords and embrace the era of passwordless authentication on Entra ID-joined Windows 11 devices. The passwordless authentication experience rolled out to commercial customers with the September 2023 update for Windows 11 version 22H2.

“Phish-resistant credentials like Windows Hello for Business or FIDO2 security keys are both passwordless solutions and can protect user identities by removing the need to use passwords from day one. Commercial organizations can now set the EnablePasswordlessExperience MDM policy from Intune or another MDM to enable a fully passwordless user experience on Microsoft Entra ID joined machines,” Microsoft explained.

Once the policy is enabled, employees will no longer need to enter their passwords when signing into their Windows 11 PCs. Additionally, the password prompt won’t be required for User Account Control (UAC), “Run as” admin scenarios, as well as in-session authentications through a web browser. Moreover, Windows 11 users won’t find the “Change password” option in the Settings app. Users will need to use the Ctrl + Alt + Del keys to change their passwords instead.

Microsoft Expands Passwordless Experience to Entra ID-Joined Windows 11 Devices

Passwordless authentication reinforces security for organizations

The new passwordless experience allows organizations to employ secure authentication methods like Windows Hello for Business or FIDO2 keys, making them resistant to phishing attempts. In case these methods don’t work, employees have the option to utilize alternative recovery mechanisms such as PIN reset or web sign-in to regain access to their credentials.

Microsoft has also rolled out a new web sign-in experience to boost security on Entra ID-joined Windows 11 devices. The feature allows users to sign in with a SAML-P federated identity or the Microsoft Authenticator application. “The new experience is more secure, reliable, and performant—and is now available for all Microsoft Entra ID authentication methods,” Microsoft added.

Microsoft introduced the passwordless experience for consumers back in 2021. The expansion of this feature now paves the way for enterprise customers to transition from passwords to modern authentication methods gradually.